When the linux server is connected to the external network, it is easy to be scanned, attacked by hackers, and obtain server permissions. Therefore, if there is an abnormal account ip to log in to the server, you should be highly vigilant, change the password, check for loopholes, etc.
1.wtmp log
View all SSH login logs including IP. The output includes: user name, terminal location, login source information, start time, end time, and duration. Note that the output of the last line is the time of the initial record of the wtmp file. Of course, you can also specify to read the file through the last -f parameter
Command: last
[root@localhost ~]# last
root pts/0 192.168.8.88 Wed Jan 4 11:03 still logged in
root pts/1 10.10.10.253 Tue Jan 3 21:23 - 21:39 (00:16)
root pts/0 192.168.8.88 Tue Jan 3 21:09 - 10:55 (13:46)
reboot system boot 3.10.0-957.el7.x Tue Jan 3 09:43 - 16:46 (2+07:02)
root pts/0 192.168.8.88 Tue Jan 3 09:12 - down (00:08)
reboot system boot 3.10.0-957.el7.x Tue Jan 3 09:11 - 09:20 (00:08)
wtmp begins Mon Dec 12 16:35:12 2022
Command: last -x -F
[root@localhost ~]# last -x -F
root pts/0 192.168.8.88 Wed Jan 4 11:03:55 2023 still logged in
root pts/1 10.10.10.253 Tue Jan 3 21:23:34 2023 - Tue Jan 3 21:39:38 2023 (00:16)
runlevel (to lvl 3) 3.10.0-957.el7.x Mon Dec 12 16:36:28 2022 - Mon Dec 12 16:49:59 2022 (00:13)
reboot system boot 3.10.0-957.el7.x Mon Dec 12 16:35:12 2022 - Mon Dec 12 16:49:59 2022 (00:14)
wtmp begins Mon Dec 12 16:35:12 2022
2. Check the status of online users
(1) The w command is used to display the list of users who have logged in to the system, and to display the commands the users are executing. Executing the w command alone will display all users, and you can also specify a user name to display only the relevant information of a certain user:
w username
[root@localhost ~]# w
16:49:36 up 2 days, 7:12, 1 user, load average: 0.06, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.8.88 三11 0.00s 2.57s 0.00s w
(2) who am i displays the export IP address, which is used for the source IP of the SSH connection
[root@localhost ~]# who am i
root pts/0 2023-01-04 11:03 (192.168.8.88)
3.lastlog lists the latest login information of all users
lastlog refers to the information in the /var/log/lastlog file, including login-name, port, last login time
[root@localhost ~]# lastlog
用户名 端口 来自 最后登陆时间
root pts/0 192.168.8.88 三 1月 4 11:03:55 +0800 2023
bin **从未登录过**
daemon **从未登录过**
adm **从未登录过**
lp **从未登录过**
sync **从未登录过**
shutdown **从未登录过**
halt **从未登录过**
mail **从未登录过**
operator **从未登录过**
games **从未登录过**
ftp **从未登录过**
nobody **从未登录过**
systemd-network **从未登录过**
dbus **从未登录过**
polkitd **从未登录过**
libstoragemgmt **从未登录过**
abrt **从未登录过**
rpc **从未登录过**
sshd **从未登录过**
postfix **从未登录过**
ntp **从未登录过**
chrony **从未登录过**
tcpdump **从未登录过**
apache **从未登录过**
mabos **从未登录过**
4.lastb lists login information for failed attempts
It has exactly the same function as the last command, except that it reads the information of the /var/log/btmp file by default.
[root@localhost ~]# lastb
btmp begins Wed Jan 4 20:18:51 2023
5. SSH login log analysis
Check the secure (CentOS) under the /var/log directory. There are a large number of abnormal IPs that try to log in frequently, and there are successful login records (focus on the time period when the incident occurred).
cat /var/log/secure |more
Jan 4 11:03:55 localhost sshd[7648]: Accepted password for root from 192.168.8.88 port 56455 ssh2
Jan 4 11:03:55 localhost sshd[7648]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 4 11:03:55 localhost sshd[7650]: Accepted password for root from 192.168.8.88 port 56458 ssh2
Jan 4 11:03:55 localhost sshd[7650]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 4 15:34:34 localhost polkitd[4857]: Registered Authentication Agent for unix-process:8161:10782133 (system bus name :1.458 [/usr/bin/pkttyagent --notif
y-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Jan 4 15:34:34 localhost polkitd[4857]: Unregistered Authentication Agent for unix-process:8161:10782133 (system bus name :1.458, object path /org/freedesk
top/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Jan 4 20:18:49 localhost useradd[20139]: failed adding user 'dbus', exit code: 9
Jan 4 20:18:51 localhost polkitd[4857]: Reloading rules
less /var/log/secure|grep'Accepted'
[root@localhost ~]# less /var/log/secure | grep 'Accepted'
Jan 3 09:12:14 localhost sshd[5901]: Accepted password for root from 192.168.8.88 port 57536 ssh2
Jan 3 09:12:14 localhost sshd[5903]: Accepted password for root from 192.168.8.88 port 57539 ssh2
Jan 3 21:09:05 localhost sshd[6674]: Accepted password for root from 192.168.8.88 port 58119 ssh2
Jan 3 21:09:06 localhost sshd[6676]: Accepted password for root from 192.168.8.88 port 58122 ssh2
Jan 3 21:23:28 localhost sshd[6736]: Accepted password for root from 10.10.10.253 port 52502 ssh2
Jan 3 21:23:30 localhost sshd[6738]: Accepted password for root from 10.10.10.253 port 52790 ssh2
Jan 4 11:03:55 localhost sshd[7648]: Accepted password for root from 192.168.8.88 port 56455 ssh2
Jan 4 11:03:55 localhost sshd[7650]: Accepted password for root from 192.168.8.88 port 56458 ssh2
/var/log/Other log descriptions:
/var/log/message 一般信息和系统信息
/var/log/secure 登陆信息
/var/log/maillog mail记录
/var/log/utmp
/var/log/wtmp登陆记录信息(last命令即读取此日志)